Personal data protection compliance assessment: A privacy policy scoring approach and empirical evidence from Thailand's SMEs.

Privacy policies, intended to provide information to individuals regarding how their personal data is processed, are often complex and challenging for users to understand. Businesses often demonstrate non-compliance with personal data protection laws, ranging from the absence of privacy policies to the existence of policies that do not adhere to legal requirements. This paper aims to (1) develop a quantitative and systematic tool for evaluating privacy policies' compliance with the Personal Data Protection Act (PDPA), (2) assess compliance among Small and Medium Enterprises (SMEs) in Thailand, and (3) provide recommendations for enhancing compliance practices. To achieve this, we proposed a multi-criteria privacy policy scoring model integrated with comprehensive statistical data analyses. The privacy policy scoring model consists of ten privacy principles and 31 privacy criteria, providing a structured framework for evaluating privacy policies. During a two-year postponement period for enforcing the PDPA law, we conducted a stratified random-sampling survey of 384 SMEs to evaluate their privacy policies using the proposed scoring model. The accomplished results revealed significantly lower scores than anticipated, with the nationwide average score of SMEs reaching only 6.1909 out of 100 points. More than half of the SMEs collected personal data without announcing privacy policies, and those with privacy policies adhered to an average of only 12.15 out of 31 privacy criteria. These findings highlight the pressing need to improve compliance practices among SMEs in Thailand. The proposed methodology can be customized and applied to align with the requirements of personal data protection laws in other countries. Additionally, our findings indicate that compliance with the PDPA is influenced by the Thailand Standard Industrial Classification (TSIC) sections, suggesting the adoption of tailored approaches by policymakers to address the specific needs of different TSIC sections.

Protección de datos en investigación clínica: ¿pseudonimización o anonimización? / [Data protection in clinical research: pseudonymization or anonymization?]

Se pretende analizar la necesidad de codificar los datos de los participantes de un estudio de salud, así como las técnicas que se pueden emplear como medida de protección, analizando sus características, ventajas e inconvenientes y abordándose desde un punto de vista semi-práctico, al desarrollarse brevemente algunas técnicas de codificación. (AU)

Te aim is to analyse the need to code the data of the participants of a health study, as well as the techniques that can be used to do so, analysing their characteristics, advantages and disadvantages and approaching it from a semi-practical point of view, by briefly developing some coding techniques. (AU)

Management of Onsite and Remote Communication in Oncology Hospitals: Data Protection in an Era of Rapid Technological Advances.

Modern communication and information technologies are rapidly being deployed at health care institutions around the world. Although these technologies offer many benefits, ensuring data protection is a major concern, and implementation of robust data protection measures is essential. In this context, health care providers and medical care facilities must frequently make difficult decisions and compromises between the need to provide effective medical care and the need to ensure data security and patient privacy. In the present paper, we describe and discuss key issues related to data protection systems in the setting of cancer care hospitals in Europe. We provide real-life examples from two European countries-Poland and the Czech Republic-to illustrate data protection issues and the steps being taking to address these questions. More specifically, we discuss the legal framework surrounding data protection and technical aspects related to patient authentication and communication.

Workload and procedures used by European data protection authorities related to personal data protection: a cross-sectional study.

OBJECTIVE: Data protection authorities (DPAs) are independent public authorities supervising the application of the data protection law. There is one DPA in each European Union (EU) Member State. Workload and procedures used by European DPAs were analyzed via a cross-sectional study. RESULTS: DPAs from 13 countries participated: Austria, Bulgaria, Croatia, Estonia, Finland, Greece, Italy, Latvia, Liechtenstein, Lithuania, Norway, Romania, and Slovakia. Responding to opinion/guidance requests in DPAs was highly heterogeneous. Procedure types used by DPAs varied, from telephone-based advisory service in Norway to a formal legal opinion in Austria. The deadline for responding to the requests varied considerably in DPAs. The number of opinion/guidance requests sent by data controllers and processors, and the number of opinion/guidance requests and complaints sent by data subjects, increased from 2015 to 2018 when the General Data Protection Regulation (GDPR) came into full effect; it decreased in 2019. Few DPAs organized education about data protection for the research community. In conclusion, the procedures and workload of DPAs in the EU were highly variable. It is important to study these aspects further, as they may assist in tailoring future data protection policies and procedures at the EU level.

Breakthrough infections, hospital admissions, and mortality after major COVID-19 vaccination profiles: A prospective cohort study.

Background: Several COVID-19 vaccination rollout strategies are implemented. Real-world data from the large-scale, government-mandated Central Vaccination Center (CVC), Thailand, could be used for comparing the breakthrough infection, across all available COVID-19 vaccination profiles. Methods: This prospective cohort study combined the vaccine profiles from the CVC registry with three nationally validated outcome datasets to assess the breakthrough COVID-19 infection, hospitalization, and death among Thais individuals who received at least one dose of the COVID-19 vaccine. The outcomes were analyzed by comparing vaccine profiles to investigate the shot effect and homologous effect. Findings: Of 2,407,315 Thais who had at least one dose of COVID-19 vaccine, 63,469 (2.75%) had breakthrough infection, 42,001 (1.79%) had been hospitalized, and 431 (0.02%) died. Per one vaccination shot added, there was an 18% risk reduction of breakthrough infection (adjusted hazard ratio [HR] 0.82, 95% confidence interval [CI] 0.80-0.82), a 25% risk reduction of hospitalization (HR 0.75, 95% CI 0.73-0.76), and a 96% risk reduction of mortality (HR 0.04, 95% CI 0.03-0.06). The heterologous two-shot vaccine profiles had a higher protective effect against infection, hospitalization, and mortality compared to the homologous counterparts. Interpretation: COVID-19 breakthrough infection, hospitalization, and death differ across vaccination profiles that had a different number of shots and types of vaccines. Funding: This study did not involve any funding.

Telemedicina no Brasil: ameaças à proteção de dados pessoais em decorrência da flexibilização da pandemia e da regulamentação precária / Telemedicine in Brazil: threats to the protection of personal data due to both easing of pandemic measures and poor regulation

O presente trabalho analisou os riscos envolvidos na utilização dos recursos de telessaúde e telemedicina, autorizados durante a pandemia de covid-19, sem um correspondente amadurecimento com relação aos requisitos necessários para garantir a segurança dos dados pessoais e dados pessoais sensíveis de seus usuários, seja pela recente entrada em vigor da Lei n. 13.709/2018, seja pela incipiente criação da Autoridade Nacional de Proteção de Dados, que ainda caminha no sentido de se estruturar organicamente. Sob o lume da metodologia civil-constitucional capitaneada por Perlingieri, o artigo destacou a necessidade de que os requisitos tecnológicos abarcados nas relações privadas sejam devidamente adequados aos valores intrínsecos àqueles delineados no texto constitucional, tendo as normas de direito civil como importante vetor na garantia de tal aplicação. A partir de pesquisa qualitativa, valendo-se de fontes indiretas, inclusive legislação estrangeira, e análise à luz da metodologia dedutiva, elencou-se uma série de considerações para a aplicação de recursos da telemedicina no Brasil de maneira adequada e em sintonia com a proteção de dados pessoais de seus cidadãos.

The present work analyzed the risks involved in the use of telehealth and telemedicine resources, authorized during the covid-19 pandemic, without a corresponding maturity in relation to the necessary requirements to guarantee the security of personal data and sensitive personal data of users, whether by the recent entry into force of Law no. 13,709/2018, or the incipient creation of the National Data Protection Authority, which is still moving towards an organic structure. Under the light of the civilconstitutional methodology led by Perlingieri, the article highlights the need for technological requirements encompassed in private relations to be duly adapted to the intrinsic values of those outlined in the constitutional text, with the norms of civil law as an important vector in guaranteeing such an application. Based on qualitative research, using indirect sources, including foreign legislation, and analysis in the light of deductive methodology, a series of considerations are listed for the application of telemedicine resources in Brazil in an adequate manner and in line with the protection of personal data of citizens.

The legal aspect of interoperability of cross border electronic health services: A study of the european and national legal framework.

Legal interoperability constitutes a prerequisite for the provision of high-quality cross border e-health services, like ePrescription and ePatientSummary. A review of EU legislation, policy initiatives and relevant judgments of the European Court of Justice (ECJ) and the European Court of Human Rights (ECHR) was held, concerning personal medical data. Four European social welfare systems, according to Esping - Andersen's typology, were selected and a study of health policy in relation to the national legal framework regarding the data protection regulation is examined. A model of legal interoperability for cross-border eHealth services is proposed for policy makers at EU level based on the following major domains: protection and security of data, transparency and liability, further analyzed in multiple axes and combined with EU targets, policy priorities and basic European legal principles. This model could be viable because of the EU's transnational existence, the coexistence of national and Community law, and the need of novel models of political governance under a unified regulatory and normative base.

Undergraduate nursing students' experiences of distance education during the COVID-19 pandemic.

BACKGROUND: The COVID-19 pandemic has led to significant changes in the field of education, including not least of all the adoption of distance education, which nursing students have had limited experience with in Turkey. PURPOSE: This study aimed to determine the factors affecting nursing students' success in distance education and to evaluate their experiences during this process. METHODS: The study was designed as a descriptive, cross-sectional study and involved the participation of 454 nursing who were members of the Student Nurses Association in Turkey. An evaluation form for assessing students' sociodemographic and distance education-related characteristics and the Distance Education Assessment Questionnaire for Nursing Students (DEAQNS) were used for data collection. RESULTS: The students further reported that the main factors affecting the success of distance education were provision of preliminary information, proficiency level of technological software use, economic status, proficiency level of use of technological devices, and asynchronous learning. CONCLUSIONS: In order to increase the success of distance education, students need information on the protection of personal data and use of technological software and devices in the nursing curriculum.

[Patient's Personal Data Protection Awareness: A Survey of Clinical Nurses].

BACKGROUND: The aim of the Personal Data Protection Act (PDPA) is to regulate the collection, processing, and use of personal information; to avoid the infringement of personal rights; and to promote the reasonable use of personal information. Clinical nurses are frontline patient caregivers, and they are the most likely to have access to patients' personal information. If these nurses do not clearly understand the PDPA, they may violate the law and affect patients' rights. PURPOSE: The purpose of this study was to investigate the knowledge level of clinical nurses regarding the PDPA and related factors, with the findings intended to serve as a reference for continuing education. METHODS: A cross-sectional research design was adopted. A purposive sample of nurses working at a regional hospital in southern Taiwan was selected. A self-administered survey incorporating the self-developed Nurses Knowledge Scale for Patient Personal Data Protection Act (NKSPPDPA) was used to collect data from May to June 2017. RESULTS: A total of 269 valid responses were received (return rate: 89.67%). The mean score on the NKSPPDPA was 68.80 out of a total-possible 100 points. Knowledge related to patient privacy and penalties was relatively low. Moreover, working department, job title, and participation in PDPA-related on-the-job education were found to be significant predictors of NKSPPDPA score, while years of experience was found to have a low correlation only. CONCLUSIONS: The results suggest that clinical nurses have knowledge gaps regarding PDPA, especially in terms of privacy and penalties. Nurses should participate in continuing education to address these knowledge gaps.

[Medical records at the National Hospital of Iceland: Present status and future prospects].

INTRODUCTION: The aim of the research was to examine the status of medical records at the National Hospital in Iceland. The aim was, furthermore, to examine the policy making regarding records among managers and other employees. A research such as this has not been undertaken previously. It provides new knowledge regarding the systematic management of medical records. The academic value of the research is the discovery of how sensitive records are being managed from a legal standpoint as well as information security. The practical value of the research is that its findings can be used as a status evaluation of ongoing assignments and plans within the National Hospital. SUBSTANCE: Qualitative research methods were used for the collection and analysis of the data supported by triangulation and grounded theory. Available written material was examined, interviews were conducted, and participant observations took place. Finally, a focus group was formed. Although the conclusions cannot be generalized, they do provide important indications regarding the state of records management, as a level of saturation was reached in the data collection, and it was deemed unlikely that additional data would have added information of significant value. RESULTS: The findings of the research show that important work has been undertaken to form and implement a policy regarding information and access to records in accordance with law, regulations and international standards. It is obvious that the managers have set themselves ambitious goals in this respect. Moreover, an international certification has been obtained within the health and information technology department regarding information security. CONCLUSIONS: The main problem seems to be twofold: First, a clarification of the administration and responsibility of health records is needed, and second that the hospital has not succeeded in securing enough funds in order to pursue established policies in an effective manner. It was revealed that top management support needs to be strengthened; training and education need improvement and the awareness of hospital staff of their responsibility regarding the security of medical records must be emphasized.

Perceptions of ICT Practitioners Regarding Software Privacy.

During software development activities, it is important for Information and Communication Technology (ICT) practitioners to know and understand practices and guidelines regarding information privacy, as software requirements must comply with data privacy laws and members of development teams should know current legislation related to the protection of personal data. In order to gain a better understanding on how industry ICT practitioners perceive the practical relevance of software privacy and privacy requirements and how these professionals are implementing data privacy concepts, we conducted a survey with ICT practitioners from software development organizations to get an overview of how these professionals are implementing data privacy concepts during software design. We performed a systematic literature review to identify related works with software privacy and privacy requirements and what methodologies and techniques are used to specify them. In addition, we conducted a survey with ICT practitioners from different organizations. Findings revealed that ICT practitioners lack a comprehensive knowledge of software privacy and privacy requirements and the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD, in Portuguese), nor they are able to work with the laws and guidelines governing data privacy. Organizations are demanded to define an approach to contextualize ICT practitioners with the importance of knowledge of software privacy and privacy requirements, as well as to address them during software development, since LGPD must change the way teams work, as a number of features and controls regarding consent, documentation, and privacy accountability will be required.

Blockchain Tree as Solution for Distributed Storage of Personal ID Data and Document Access Control.

This paper introduces a new method of Blockchain formation for reliable storage of personal data of ID-card holders. In particular, the model of the information system is presented, the new structure of smart ID-cards and information on these cards are proposed. The new structure of Blockchain, "Blockchain Tree", allows not only to store information from ID-cards but also to increase the level of security and access control to this information. The proposed Subchains system allows us to integrate Blockchain of the lower level to Blockchain of the higher level, allowing us to create a multilevel protected system.

Da privacidade à transparência: desafios da interação entre agentes públicos e privados na gestão de informações pessoais / From privacy to transparency: challenges of the public and private interactions in the management of personal information / De la privacidad a la transparencia: desafíos de la interacción entre agentes públicos y privados en la gestión de informaciones personales

Preocupações com a proteção da privacidade marcaram a construção da jovem democracia brasileira. Regras de transparência e publicidade complementam as garantias presentes na Constituição Federal visando garantir controle social sobre as atividades do Estado e prevenir abusos como os ocorridos durantea ditadura militar. Contraditoriamente, porém, com o avanço das tecnologias digitais e da internet assim como das iniciativas de cidades inteligentes, a balança parece estar invertida: as atividades do Estado -inclusive na área de segurança pública e vigilância - seguem secretas e pouco sujeitas a escrutínio público, enquanto cidadãos encontram-se cada vez mais expostos a agentes públicos e privados. Ao mesmo tempo, crescem as preocupações com o poder de vigilância adquirido pelas empresas de tecnologia da informação e comunicação. Esta nota discutirá a questão, trazendo exemplos de como a interação público-privada traz novos riscos à privacidade, inclusive no que diz respeito a seu aspecto de bem social.

Concern about the protection of privacy marked the construction of the young Brazilian democracy. Transparency and publicity rules complement the guarantees contained in the Federal Constitution to guarantee social control over State activities and prevent abuses like the ones occurred during years of military dictatorship. Contradictorily, however, with the advancement of digital technologies and the internet and of smart city initiatives, the situation seems to be reversed: State activities - including those developed in the area of public security and surveillance - remain secret and little subject to public scrutiny,while citizens are increasingly exposed to public and private actors. At the same time, concern about the surveillance power acquired by information and communication technology companies is growing. This paper will discuss this issue, bringing examples of how public-private interaction brings new risks to privacy, including with regard to its aspect of social good.

Preocupaciones por la protección de la privacidad marcaron la construcción de la joven democracia brasileña. Normas de transparencia y publicidad complementan las garantías presentes en la Constitución Federal para garantizar el control social sobre las actividades del Estado y evitar abusos como los ocurridos durante los años de la dictadura militar. Paradójicamente, sin embargo, con el avance de las tecnologías digitales e de la Internet y de las iniciativas de ciudades inteligentes, la situación parece estar invertida: mientras las actividades del Estado – incluso con respeto a la seguridad y la vigilancia - siguen secretas ypoco sujetas al escrutinio público, los ciudadanos tienen su privacidad cada vez más sin protección frente a agentes privados y públicos. Al mismo tiempo, existe una creciente preocupación por el poder de vigilancia adquirido por las empresas de tecnología de información y comunicación. Este artículo discutirá estetema, presentando ejemplos de cómo la interacción público-privada trae nuevos riesgos para la privacidad, incluso con respecto a su aspecto de bien social.

Spaced Education and the Importance of Raising Awareness of the Personal Data Protection Act: A Medical Student Population-Based Study.

BACKGROUND: The Personal Data Protection Act (PDPA) of Singapore was first passed in 2012, with subsequent enforcement regulations effective in 2014. Although medical education via digital platforms is not often used in medical schools in Singapore as of yet, many current means of communication at all levels in the medical community from medical schools to clinics to hospitals are unsecure and noncompliant with the PDPA. OBJECTIVE: This pilot study will assess the effectiveness of MyDoc, a secure, mobile telehealth application and messaging platform, as an educational tool, secure communications tool, and a tool to raise awareness of the PDPA. METHODS: By replacing current methods of communication with MyDoc and using weekly clinical case discussions in the form of unidentifiable clinical photos and questions and answers, we raised awareness the PDPA among medical students and gained feedback and determined user satisfaction with this innovative system via questionnaires handed to 240 medical students who experienced using MyDoc over a 6-week period. RESULTS: All 240 questionnaires were answered with very positive and promising results, including all 100 students who were not familiar with the PDPA prior to the study attributing their awareness of it to MyDoc. CONCLUSIONS: Potential uses of MyDoc in a medical school setting include PDPA-compliant student-to-student and student-to-doctor communication and clinical group case discussions with the sharing of patient-sensitive data, including clinical images and/or videos of hospital patients that students may benefit from viewing from an educational perspective. With our pilot study having excellent results in terms of acceptance and satisfaction from medical students and raising awareness of the PDPA, the integration of a secure, mobile digital health application and messaging platform is something all medical schools should consider, because our students of today are our doctors of tomorrow.

Trust and Privacy Solutions Based on Holistic Service Requirements.

The products and services designed for Smart Cities provide the necessary tools to improve the management of modern cities in a more efficient way. These tools need to gather citizens' information about their activity, preferences, habits, etc. opening up the possibility of tracking them. Thus, privacy and security policies must be developed in order to satisfy and manage the legislative heterogeneity surrounding the services provided and comply with the laws of the country where they are provided. This paper presents one of the possible solutions to manage this heterogeneity, bearing in mind these types of networks, such as Wireless Sensor Networks, have important resource limitations. A knowledge and ontology management system is proposed to facilitate the collaboration between the business, legal and technological areas. This will ease the implementation of adequate specific security and privacy policies for a given service. All these security and privacy policies are based on the information provided by the deployed platforms and by expert system processing.

The application of telemedicine in orthopedic surgery in singapore: a pilot study on a secure, mobile telehealth application and messaging platform.

BACKGROUND: The application of telemedicine has been described for its use in medical training and education, management of stroke patients, urologic surgeries, pediatric laparoscopic surgeries, clinical outreach, and the field of orthopedics. However, the usefulness of a secure, mobile telehealth application, and messaging platform has not been well described. OBJECTIVE: A pilot study was conducted to implement a health insurance portability and accountability act (HIPAA) compliant form of communication between doctors in an orthopedic clinical setting and determine their reactions to MyDoc, a secure, mobile telehealth application, and messaging platform. METHODS: By replacing current methods of communication through various mobile applications and text messaging services with MyDoc over a six week period, we gained feedback and determined user satisfaction with this innovative system from questionnaires handed to the program director, program coordinator, one trauma consultant, all orthopedic residents, and six non-orthopedic residents at the National University Hospital in Singapore. RESULTS: Almost everyone who completed the questionnaire strongly agreed that MyDoc should replace current systems of peer to peer communication in the hospital. The majority also felt that the quality of images, videos, and sound were excellent. Almost everyone agreed that they could communicate easily with each other and would feel comfortable doing so routinely. The majority felt that virtual consults through MyDoc should be made available to inpatients as well as outpatients to potentially lessen clinic loads and provide a secure manner in which patients can communicate with their primary teams any time convenient to both. It was also agreed by most that the potential of telerounding had advantages, especially on weekends as a supplement to normal rounds. CONCLUSIONS: Potential uses of MyDoc in an orthopedic clinical setting include HIPAA-compliant peer to peer communication, clinical outreach in the setting of trauma, supervision in the operating room or watching procedures being performed remotely, providing both patient and parent reassurance in pediatric orthopedic patients, and finally in the setting of outpatient clinics. With our pilot study having excellent results in terms of acceptance and satisfaction, the integration of a secure, mobile telehealth application, and messaging platform, not only in the orthopedic department but also the hospital in general, has an exciting and limitless potential. More so in this era where downsizing hospital costs is beneficial, doing so may also be mandatory in order to comply with the soon to be introduced personal data protection act.

A flexible approach to distributed data anonymization.

Sensitive biomedical data is often collected from distributed sources, involving different information systems and different organizational units. Local autonomy and legal reasons lead to the need of privacy preserving integration concepts. In this article, we focus on anonymization, which plays an important role for the re-use of clinical data and for the sharing of research data. We present a flexible solution for anonymizing distributed data in the semi-honest model. Prior to the anonymization procedure, an encrypted global view of the dataset is constructed by means of a secure multi-party computing (SMC) protocol. This global representation can then be anonymized. Our approach is not limited to specific anonymization algorithms but provides pre- and postprocessing for a broad spectrum of algorithms and many privacy criteria. We present an extensive analytical and experimental evaluation and discuss which types of methods and criteria are supported. Our prototype demonstrates the approach by implementing k-anonymity, ℓ-diversity, t-closeness and δ-presence with a globally optimal de-identification method in horizontally and vertically distributed setups. The experiments show that our method provides highly competitive performance and offers a practical and flexible solution for anonymizing distributed biomedical datasets.